Cyber Incident Victim: Cloudflare

On October 18, 2023, Cloudflare’s Security Incident Response Team (SIRT) detected attacks on its systems traced to a compromise at Okta, a third-party identity management provider. Threat actors leveraged an authentication token stolen from Okta’s customer support system to pivot into Cloudflare’s Okta instance. The attackers compromised two separate Cloudflare employee accounts within Okta, exploiting an open administrative session to gain access. Cloudflare identified this activity internally over 24 hours before receiving formal notification from Okta, enabling immediate containment. The compromised session token originated from a support ticket created by a Cloudflare employee, which the threat actor extracted from Okta’s breached support system. Cloudflare confirmed the attackers accessed its Okta environment but did not penetrate its production networks, customer systems, or data repositories due to rapid intervention.

Cloudflare’s Zero Trust architecture—specifically its Access, Gateway, and Data Loss Prevention tools—combined with Cloudforce One threat research capabilities, enabled real-time validation of the attack scope and swift containment. The company revoked unauthorized sessions, isolated affected systems, and conducted forensic analysis to confirm no persistence was established by the threat actors. Cloudflare verified no customer data or services were impacted, attributing this outcome to its layered security controls and prompt SIRT response. Okta later disclosed the broader breach, revealing attackers had accessed its support system since at least October 2, 2023, and viewed files uploaded by customers during support cases. Cloudflare’s investigation concluded the incident was contained within its Okta environment, with no evidence of lateral movement beyond initial account compromises. The company maintained continuous monitoring post-incident but identified no further unauthorized access or downstream effects.